Features Introduced in February 2023
Learn what’s new on Prisma™ Cloud in February 2023.
New Features Introduced in 23.2.2
New Features
FEATURE | DESCRIPTION |
Enhancement Role Assignment Modification for SSO Sign-In | If you have enabled access to users on Prisma Cloud using SSO with JIT provisioning, you can no longer modify their roles in the Prisma Cloud administrative console, unless they have previously been added to an SSO bypass list. The role management for these users needs to be completed from the Identity Provider (IdP) for the change to take effect.
|
API Ingestions
SERVICE | API DETAILS |
Amazon ECR | aws-ecr-registry Additional permissions required:
You must manually add the permissions or update the CFT template to enable them. |
Amazon Chime | aws-chime-voice-connector Additional permissions required:
The Security Audit role only includes the permission. You must manually add the permission or update the CFT template to enable . |
Google Analytics Hub | gcloud-analytics-hub-data-exchange-listing Additional permissions required:
The Viewer role includes the permissions. |
Google Compute Engine | gcloud-compute-external-vpn-gateway Additional permission required:
The Viewer role includes the permission. |
Google Dataproc Metastore | gcloud-dataproc-metastore-federation Additional permissions required:
The Viewer role includes the permissions. |
New Policies
NEW POLICIES | DESCRIPTION |
DNS Rebinding Activity Anomaly Policy | A new DNS rebinding activity anomaly policy is now available on the Policies page in Prisma Cloud. It detects when computing resources perform domain requests for rebinding domains by inspecting every DNS request performed by all monitored compute resources and looking for consecutive anomalous requests.By default, the alert disposition of the policy is set to conservative. |
Azure AKS cluster is not configured with disk encryption set | Identifies AKS clusters that are not configured with disk encryption set. Azure Key Vault Provider for Secrets Store CSI Driver allows for the integration of an Azure key vault as a secrets store with an Azure Kubernetes Service (AKS) cluster via a CSI volume. It is recommended to enable secret store CSI driver for your Kubernetes clusters.
|
Azure Service Fabric cluster not configured with cluster protection level security | Identifies Service Fabric clusters that are not configured with cluster protection level security. Service Fabric provides levels of protection for node-to-node communication using a primary cluster certificate. It is recommended to set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.
|
Policy Updates
POLICY UPDATES | DESCRIPTION |
Policy Updates-RQL | |
AWS EC2 instance that is internet reachable with unrestricted access (0.0.0.0/0) other than HTTP/HTTPS port | Changes— The policy name and description are updated.The policy RQL is updated to report instances configured with HTTP (80) and HTTP (443) ports, which are in active state only.Current Name— AWS EC2 instance that is internet reachable with unrestricted access (0.0.0.0/0) other than HTTP/HTTPS port
Updated Name— AWS EC2 instance that is internet reachable with unrestricted access (0.0.0.0/0)Updated Description— Identifies AWS EC2 instances that are internet reachable with unrestricted access (0.0.0.0/0). EC2 instances with unrestricted access to the internet may enable bad actors to use brute force on a system to gain unauthorised access to the entire network. As a best practice, restrict traffic from unknown IP addresses and limit the access to known hosts, services, or specific entities.Current RQL—
Updated RQL—
Impact— Medium. Existing alerts will be resolved as Policy_Updated for instances that are no longer active. New alerts are generated when the instance is connected to the internet and configured with an HTTP / HTTPS port. |
AWS Glue connection do not have SSL configured | Changes— The policy RQL has been updated to exclude AWS Glue with connection type as Network from reporting because they cannot be configured for SSL.Current RQL—
Updated RQL—
Impact— Low. Existing alerts will be resolved as Policy_Updated . |
Azure Virtual Network subnet is not configured with a Network Security Group | Changes— The policy RQL is updated to exclude the private endpoint and private link associated subnets.Current RQL—
Updated RQL—
Impact— Medium. Existing alerts will be resolved as Policy_Updated for which private endpoint is in disabled state. New alerts are generated for private endpoints in disabled state with no network security group. |
Policy Updates-Metadata | |
GCP VPC Network subnets have Private Google access disabled | Changes— The policy remediation CLI command description to define granular permissions required for running the remediation CLI command is updated.Updated Remediation CLI Description— This CLI command requires 'compute.subnetworks.setPrivateIpGoogleAccess', 'compute.subnetworks.setPrivateIpGoogleAccess' and 'compute.subnetworks.update' permissions. Successful execution will enable GCP VPC Network subnets 'Private Google access'.Impact— No impact on alerts. |
GCP Storage buckets are publicly accessible to all authenticated users | Changes— The policy remediation CLI command description to define granular permissions required for running the remediation CLI command is updated.Updated Remediation CLI Description— This CLI command requires 'storage.buckets.getIamPolicy’ and 'storage.buckets.setIamPolicy' permissions. Successful execution will revoke 'allAuthenticatedUsers' permission access in GCP Storage buckets.Impact— No impact on alerts. |
GCP Storage log buckets have object versioning disabled | Changes— The policy remediation CLI command description to define granular permissions required for running the remediation CLI command is updated.Updated Remediation CLI Description— This CLI command requires 'storage.buckets.update' permission. Successful execution will enable GCP Storage log buckets 'versioning'.Impact— No impact on alerts. |
GCP Storage buckets are publicly accessible to all users | Changes— The policy remediation CLI command description to define granular permissions required for running the remediation CLI command is updated.Updated Remediation CLI Description— This CLI command requires 'storage.buckets.getIamPolicy' and 'storage.buckets.setIamPolicy' permissions. Successful execution will revoke 'allUsers' permission access in GCP Storage buckets.Impact— No impact on alerts. |
New Compliance Benchmarks and Updates
COMPLIANCE BENCHMARK | DESCRIPTION |
Update AWS Foundational Security Best Practices Standard | The AWS Foundational Security Best Practices standard has been updated to map default policies to the relevant sections. Impact— No impact on alerts. The compliance report score will be impacted because of the new mapping. |
Changes in Existing Behavior
FEATURE | DESCRIPTION |
Google Cloud Task Update | Prisma Cloud will no longer ingest gcloud-cloud-task API related resources because these are ephemeral. As a result, all gcloud-cloud-task resources will be deleted from your tenant.Impact— No impact on alerts. |
Deprecation Notices
FEATURE | DESCRIPTION |
Legacy IaC Scan on app.govcloud.io is End of Support | Prisma Cloud no longer supports legacy IaC scanning on GovCloud. The IaC Scan plugins and the DevOps dashboard have been removed from the platform. |
New Features Introduced in 23.2.1
New Features
FEATURE | DESCRIPTION |
Asset Class Filter | An Asset Class is an an asset attribute that aligns with the generally intended application of a given asset type. The new Asset Class filter is available on the Asset Inventory and Alerts Overview pages and allows you to filter assets based on the following asset classes:
 |
Performance Improvements for Investigate RQL Queries | The config and event query results on the Investigate page are optimized to load the initial set of results significantly faster. To enable faster load times, the backend automatically uses a heuristic search to retrieve search results for your query.
When you enter the query and click Search , the interface loads the first 100 search results, and you can use the Load More button to fetch more results. The Get Total Count button enables you to get a full count of all pertinent results, and is available for eligible queries that include attributes that support the heuristic search only.All config attributes except cloud.accountgroup, azure.resource.group, limit search records, aggregate functions (count and group by), and all finding type attributes such as finding.type, finding.severity, are currently optimized for faster search results. For event queries, the attribute cloud type supports heuristic search. |
API Access Key Expiration Notifications | Prisma Cloud allows you to create and manage API keys to facilitate programmatic access to our features and functionality. To ensure uninterrupted access to Prisma Cloud APIs, you can now set up the following Access Key Expiration Notifications:
Navigate to to set a notification threshold prior to access key expiration. Updates to Access Key Expiration Notifications settings may take up to 24 hours to take effect. |
Support for AWS Tags on Prisma Cloud IAM | Prisma Cloud IAM now supports AWS tags. Leverage tags to create RQL queries and dynamic custom policies, by using specific tags to group your cloud resources, roles, groups, policies, etc. when defining your alert rules. |
Send Audit Logs to External Integrations | Forward audit logs from Prisma Cloud to an external integration that you have configured to integrate with your existing security workflows.
 Prisma Cloud does not forward Successful Login type audit log messages to external integrations to minimize noise and log flooding. However, all other audit log types can be forwarded to any supported external integration such as Webhook or SQS. For example, Prisma Cloud does not forward the following audit log message.
|
Support for Azure Permission Levels on Prisma Cloud IAM | Prisma Cloud IAM now leverages Azure Permission levels for better visibility into your Azure identity permissions, providing you with a more granular view of granted permissions. In addition, you can use these new attributes to create custom policies to more closely monitor your cloud resources. |
Update IAM Query Attributes | The new operator is now supported for the action.name attribute. With this operator, you can run queries with AND logic in between values. For example, if you want to get only roles that contain all actions: X, Y, and Z:
Use this operator to more granularly query groups, roles, and policies. |
API Ingestions
SERVICE | API DETAILS |
Amazon CloudWatch | aws-cloudwatch-insight-rule Additional permissions required:
The Security Audit role includes the permissions. |
Amazon Kinesis Video | aws-kinesis-video-stream Additional permissions required:
You must add the permissions manually or use CFT template to update the permissions. |
Google Analytics Hub | gcloud-analytics-hub-data-exchange Additional permission required:
The Viewer role includes the permission. |
Google Compute Engine | gcloud-compute-vpn-gateway Additional permission required:
The Viewer role includes the permission. |
Google Compute Engine | gcloud-compute-target-vpn-gateway Additional permission required:
The Viewer role includes the permission. |
OCI Certificate | oci-certificate-certificates Additional permissions required:
You must manually add these permissions. |
OCI Cloud Guard | oci-cloudguard-security-zone Additional permissions required:
You must manually add these permissions. |
OCI Cloud Guard | oci-cloudguard-security-recipe Additional permissions required:
You must manually add these permissions. |
OCI Data Safe | oci-data-safe-private-endpoint Additional permissions required:
You must manually add these permissions. |
OCI Data Safe | oci-data-safe-target-database Additional permissions required:
You must manually add these permissions. |
OCI IAM | oci-iam-dynamic-group Additional permission required:
You must manually add the permission. |
OCI NoSQL Database | oci-nosql-database-table Additional permissions required:
You must manually add these permissions. |
OCI Scanning | oci-scanning-host-scantarget Additional permissions required:
You must manually add these permissions. |
OCI Scanning | oci-scanning-host-scanrecipe Additional permissions required:
You must manually add these permissions. |
OCI Vaults | oci-vault-keyvault Additional permissions required:
You must manually add these permissions. |
New Policies
NEW POLICIES | DESCRIPTION |
AWS SSM documents are public | Identifies list of SSM documents that are public and might allow unintended access. A public SSM document can expose valuable information about your account, resources, and internal processes. It is recommended to only share SSM documents to only few private AWS accounts based on the requirement.
|
AWS CloudFront distributions does not have a default root object configured | Identifies list of CloudFront distributions which does not have default root object configured. If a CloudFront distribution does not have a default root object configured, requests for the root of your distribution pass to your origin server which might return a list of the private contents of your origin. To avoid exposing the contents of your distribution or returning an error it is recommended to specify a default root object.
|
Azure Storage account is not configured with private endpoint connection | Identifies Storage accounts that are not configured with a private endpoint connection. Azure Storage account private endpoints can be configured using Azure Private Link. Private Link allows users to access an Azure Storage account from within the virtual network or from any peered virtual network. When Private Link is combined with restricted NSG policies, it helps reduce the risk of data exfiltration. It is recommended to configure Private Endpoint Connection to Storage account.
|
Azure Microsoft Defender for Cloud set to Off for Resource Manager | Identifies Azure Microsoft Defender for Cloud which has defender setting for Resource Manager (ARM) set to Off. Enabling Azure Defender for ARM provides protection against issues like Suspicious resource management operations, Use of exploitation toolkits, Lateral movement from the Azure management layer to the Azure resources data plane. It is highly recommended to enable Azure Defender for ARM.
|
GCP SQL server instance database flag 3625 (trace flag) is not set to on | Identifies GCP SQL server instance for which database flag 3625 (trace flag) is not set to on. Trace flag can help prevent the disclosure of sensitive information by masking the parameters of some error messages using '*', for users who are not members of the sysadmin fixed server role. It is recommended to set 3625 (trace flag) database flag for SQL Server instance to on.
|
Policy Updates
POLICY UPDATES | DESCRIPTION |
Policy Updates-RQL | |
Activity Log Retention should not be set to less than 365 days | Changes— The policy name, description,and recommendations are updated according to the latest vendor UI settings.The policy RQL is updated to check log profile status so that disabled log profiles will be reported.Current Name— Activity Log Retention should not be set to less than 365 days
Updated Name— Azure Activity Log retention should not be set to less than 365 daysUpdated Description— Identifies Log profiles which have log retention set to less than 365 days. Log profile controls how your Activity Log is exported and retained. Since the average time to detect a breach is over 200 days, it is recommended to retain your activity log for 365 days or more in order to have time to respond to any incidents.Current RQL—
Updated RQL—
Impact— Low. New alerts will be generated for disabled log profiles. |
Policy Updates-Metadata | |
AWS Certificate Manager (ACM) has invalid or failed certificate | Changes— The policy description is updated.Updated Description— Identifies certificates in ACM which are either in Invalid or Failed state. If the ACM certificate is not validated within 72 hours, it becomes Invalid. An ACM certificate fails when,
In such cases (Invalid or Failed certificate), you will have to request for a new certificate. It is strongly recommended to delete the certificates which are in failed or invalid state. Impact— No impact on alerts. |
AWS ECS/ Fargate task definition root user found | Changes— The policy name and description are updated.Current Name— AWS ECS/ Fargate task definition root user found
Updated Name— AWS ECS Fargate task definition root user foundUpdated Description— Identifies AWS ECS Fargate task definition which has user name as root. As a best practice, the user name to use inside the container should not be root.
Note: This parameter is not supported for Windows containers.Impact— No impact on alerts. |
CloudTrail trail is not integrated with CloudWatch Log | Changes— The policy name and description are updated.Current Name— CloudTrail trail is not integrated with CloudWatch Log
Updated Name— AWS CloudTrail trail logs is not integrated with CloudWatch LogUpdated Description— Identifies AWS CloudTrail which has trail logs that are not integrated with CloudWatch Log. Enabling the CloudTrail trail logs integrated with CloudWatch Logs will enable the real-time as well as historic activity logging. This will further improve monitoring and alarm capability.Impact— No impact on alerts. |
S3 buckets with configurations set to host websites | Changes— The policy name and description are updated.Current Name— S3 buckets with configurations set to host websites
Updated Name— AWS S3 buckets with configurations set to host websitesUpdated Description— Identifies AWS S3 buckets that are configured to host websites. To host a website on AWS S3 you should configure a bucket as a website. By frequently surveying these S3 buckets, you can ensure that only authorized buckets are enabled to host websites. Make sure to disable static website hosting for unauthorized S3 buckets.Impact— No impact on alerts. |
Azure Storage account container storing activity logs is publicly accessible | Changes— The policy recommendation steps are updated to reflect CSP UI changes.Impact— No impact on alerts. |
Azure Container Registry does not use a dedicated resource group | Changes— The policy description and recommendation steps are updated to according to the new URL linked provided by CSP.Impact— No impact on alerts. |
SQL Instances do not have SSL configured | Changes— The policy name, description, and recommendation steps are updated.Current Name— SQL Instances do not have SSL configured
Updated Name— GCP SQL Instances do not have valid SSL configurationUpdated Description— Identifies GCP SQL instances that do not have valid SSL configuration with an unexpired SSL certificate. Cloud SQL supports connecting to an instance using the Secure Socket Layer (SSL) protocol. If Cloud SQL Auth proxy is not used for authentication, it is recommended to utilize SSL for connection to SQL Instance, ensuring the security for data in transit.Impact— No impact on alerts. |
SQL DB Instance backup Binary logs configuration is not enabled | Changes— The policy name, description, and recommendation steps are updated.Current Name— SQL DB Instance backup Binary logs configuration is not enabled
Updated Name— GCP SQL MySQL DB instance point-in-time recovery backup (Binary logs) is not enabledUpdated Description— identifies Cloud SQL MySQL DB instances whose point-in-time recovery backup is not enabled. In case of an error, point-in-time recovery helps you recover an instance to a specific point in time. It is recommended to enable automated backups with point-in-time recovery to prevent any data loss in case of an unwanted scenario.Impact— No impact on alerts. |
Changes in Existing Behavior
FEATURE | DESCRIPTION |
Global Region Support for Google VPC Firewall Rule | Prisma Cloud now provides global region support for gcloud-compute-firewall-rules-list . Due to this, all the resources will be deleted, and then regenerated on the management console.Existing alerts corresponding to this resource are resolved as Resource_Deleted, and new alerts will be generated against policy violations. Impact —You may notice a reduced count for the number of alerts. However, the alert count will return to the original numbers once the resources for gcloud-compute-firewall-rules-list start ingesting data again. |
Google VPC Network API Update | Prisma Cloud now provides global region support, as well as a backend update to the resource ID for the gcloud-compute-networks-list API . As a result, all resources for this API will be deleted and then regenerated on the management console.Existing alerts corresponding to these resources will be resolved as Resource_Updated, and new alerts will be generated against policy violations if any. Impact —You may notice a reduced alert count. However, once the resources for gcloud-compute-networks-list resume ingesting data, the alert count will return to the original numbers. |
REST API Updates
CHANGE | DESCRIPTION |
Update Enterprise Settings API | The response object for the GET /settings/enterprise endpoint now include the following additional properties:
The request body and response object for the POST /settings/enterprise endpoint now include the following additional properties:
|
